FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
Policies and Data Collection on Federal Web Sites
of this memorandum is to remind you that each agency is required
by law and policy to establish clear privacy policies for its web
activities and to comply with those policies. Agency contractors
should also comply with those policies when operating web sites
on behalf of agencies.
in my memorandum of June 2, 1999, on "Privacy Policies on Federal
Web Sites," agencies are to post clear privacy policies on agency
principal web sites, as well as at any other known, major entry
points to sites, and at any web page where substantial amounts of
personal information are posted. Privacy policies must be clearly
labeled and easily accessed when someone visits a web site.
take care to ensure full adherence with stated privacy policies.
For example, if an agency web site states that the information provided
will not be available to any other entities, it is the responsibility
of the agency to assure that no such sharing takes place. To ensure
such adherence, each agency should immediately review its compliance
with its stated web privacy policies.
privacy concerns may be raised when uses of web technology can track
the activities of users over time and across different web sites.
These concerns are especially great where individuals who have come
to government web sites do not have clear and conspicuous notice
of any such tracking activities. "Cookies" -- small bits of software
that are placed on a web user's hard drive -- are a principal example
of current web technology that can be used in this way. The guidance
issued on June 2, 1999, provided that agencies could only use "cookies"
or other automatic means of collecting information if they gave
clear notice of those activities.
the unique laws and traditions about government access to citizens'
personal information, the presumption should be that "cookies" will
not be used at Federal web sites. Under this new Federal policy,
"cookies" should not be used at Federal web sites, or by contractors
when operating web sites on behalf of agencies, unless, in addition
to clear and conspicuous notice, the following conditions are met:
a compelling need to gather the data on the site; appropriate and
publicly disclosed privacy safeguards for handling of information
derived from "cookies"; and personal approval by the head of the
agency. In addition, it is federal policy that all Federal web sites
and contractors when operating on behalf of agencies shall comply
with the standards set forth in the Children's Online Privacy Protection
Act of 1998 with respect to the collection of personal information
online at web sites directed to children.
of your privacy practices and the steps taken to ensure compliance
with this memorandum should be included as part of the submission
on information technology that is incorporated into the agency budget
submission this fall.